‘Gamaredon’ (also known as Shuckworm or Armageddon) has been identified using eight unique binaries in cyber-espionage activities against Ukrainian companies. Since 2013, this hacking gang, which is thought to be run directly by the Russian FSB (Federal Security Service), has been responsible for thousands of cyberattacks in Ukraine. Researchers from Symantec’s Threat Hunter team, which is part of Broadcom Software, examined eight malware variants used by Gamaredon against Ukrainian targets in recent attacks, which might help defenses against the current wave of attacks.
According to a report from Symantec, the monitored attacks began in July with the distribution of spear-phishing emails containing macro-laced Word documents. These files activated a VBS file that dropped “Pteranodon,” a well-documented backdoor that Gamaredon has been working on for over seven years. Meanwhile, recent attacks continue to use phishing emails, but they now deliver eight distinct payloads. Symantec’s analysts selected eight files from recent Gamaredon attacks, all of which are 7-zip self-extracting binaries with little user intervention.
- descend.exe – Executes to install a VBS file on “%PUBLIC%\Pictures\deerbrook.ppt” and “%USERPROFILE%\Downloads\deerbrook.ppt,” and generates a scheduled task on the hacked system. The VBS contacts the C2 and requests the payload.
- deep-sunken.exe – The downloaded payload executes dropping four additional files on the exploited machine: baby.cmd, baby.dat, basement.exe (wget binary), vb_baby.vbs. The C2 is called again for the next payload, generating a new scheduled task.
- z4z05jn4.egf.exe – Next-stage payload, identical to the previous one but features different C2, drops files in other directories, and uses new filenames.
- defiant.exe – Drops VBS files onto “%TEMP%\\deep-versed.nls” and “%PUBLIC\Pictures\deep-versed.nls” and creates a scheduled task to run them.
- deep-green.exe – UltraVNC remote administration tool that connects to a repeater.
- deep-green.exe – Process Explorer binary for Microsoft Windows.
- deep-green.exe – Identical to defiant.exe but with distinct hard-coded C2 and filenames.
- deep-green.exe – Drops VBS in “%PUBLIC%\Music\” and creates a scheduled task that searchers for removable drives on the infected system.
According to the Symantec study, many dumped files had unknown parent process hashes that weren’t evaluated. Therefore, aspects of the Gamaredon operation are still unknown. Symantec’s report includes file hashes for the new malware payloads they uncovered.